Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.
Rule type: eql
Risk score: 43
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
file where file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
Framework: MITRE ATT&CKTM
- Version 2 (7.11.2 release)
- Formatting only